Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a denial of service (infinite loop) of a collectd instance (configured with "SecurityLevel None" and with empty "AuthFile" options) via a crafted UDP packet.

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4793-1 advisory.

  - Heap-based buffer overflow in the parse_packet function in network.c in collectd before 5.4.3 and 5.x     before 5.5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute     arbitrary code via a crafted network packet. (CVE-2016-6254)

  - The csnmp_read_table function in snmp.c in the SNMP plugin in collectd before 5.6.3 is susceptible to a     double free in a certain error case, which could lead to a crash (or potentially have other impact).
    (CVE-2017-16820)

  - Incorrect interaction of the parse_packet() and parse_part_sign_sha256() functions in network.c in     collectd 5.7.1 and earlier allows remote attackers to cause a denial of service (infinite loop) of a     collectd instance (configured with SecurityLevel None and with empty AuthFile options) via a crafted     UDP packet. (CVE-2017-7401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2615 advisory.

  - collectd: Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256()     functions (CVE-2017-7401)

  - collectd: double free in csnmp_read_table function in snmp.c (CVE-2017-16820)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

marcinguy reports :

After sending this payload, collectd seems to be entering endless while() loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.

Fix CVE-2017-7401 collectd: Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256() functions. This is a bug in the network plugin.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for collectd is now available for RHEV 4.X RHEV-H and Agents for RHEL-7 and RHEV Engine version 4.1.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

collectd is a small C-language daemon, which reads various system metrics periodically and updates RRD files (creating them if necessary). Because the daemon does not start up each time it updates files, it has a low system footprint.

The following packages have been upgraded to a newer upstream version:
collectd (5.7.1). (BZ#1446472)

Security Fix(es) :

* collectd contains an infinite loop due to how the parse_packet() and parse_part_sign_sha256() functions interact. If an instance of collectd is configured with 'SecurityLevel None' and with empty 'AuthFile' options an attacker can send crafted UDP packets that trigger the infinite loop, causing a denial of service.
(CVE-2017-7401)

Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256() functions :

Collectd contains an infinite loop due to how the parse_packet() and parse_part_sign_sha256() functions interact. If an instance of collectd is configured with 'SecurityLevel None' and with empty 'AuthFile' options an attacker can send crafted UDP packets that trigger the infinite loop, causing a denial of service.
(CVE-2017-7401)

It was discovered that there was an infinite loop vulnerability in collectd, a statistics collection and monitoring daemon.

When a correct 'Signature part' is received by an instance configured without the AuthFile option, an endless loop occurs in the parse_packet routine due to a missing pointer increment to the next unprocessed part.

For Debian 7 'Wheezy', this issue has been fixed in collectd version 5.1.0-3+deb7u3.

We recommend that you upgrade your collectd packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
183566	Ubuntu 16.04 ESM : collectd vulnerabilities (USN-4793-1)	Nessus	Ubuntu Local Security Checks	critical
117321	RHEL 7 : collectd (RHSA-2018:2615)	Nessus	Red Hat Local Security Checks	critical
101826	FreeBSD : collectd5 -- Denial of service by sending a signed network packet to a server which is not set up to check signatures (08a2df48-6c6a-11e7-9b01-2047478f2f70)	Nessus	FreeBSD Local Security Checks	high
101671	Fedora 26 : collectd (2017-822d460ae2)	Nessus	Fedora Local Security Checks	high
100454	RHEL 7 : collectd (RHSA-2017:1285)	Nessus	Red Hat Local Security Checks	high
100274	Amazon Linux AMI : collectd (ALAS-2017-829)	Nessus	Amazon Linux Local Security Checks	high
99678	Fedora 24 : collectd (2017-6b639afc9c)	Nessus	Fedora Local Security Checks	high
99644	Fedora 25 : collectd (2017-80763c8c03)	Nessus	Fedora Local Security Checks	high
99189	Debian DLA-884-1 : collectd security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-7401

high

Tenable Plugins

critical

critical

high

high

high

high

high

high

high